Due to the recent discovery of a new SSL vulnerability (CVE-2014-3566: Poodle SSLv3), this protocol has been considered unsafe. This is a protocol flaw and Zimbra might include patches or configuration changes in future releases. Please check existing Bug https://bugzilla.zimbra.com/show_bug.cgi?id=95976 for more information.

Due to the recent discovery of a new SSL vulnerability (CVE-2014-3566: Poodle SSLv3), this protocol has been considered unsafe. This is a protocol flaw and Zimbra might include patches or configuration changes in future releases. Please check existing Bug https://bugzilla.zimbra.com/show_bug.cgi?id=95976 for more information.

Revision as of 20:08, 15 October 2014

- This is certified documentation and is protected for editing by Zimbra Employees & Moderators only.

How to disable SSLv3

Due to the recent discovery of a new SSL vulnerability (CVE-2014-3566: Poodle SSLv3), this protocol has been considered unsafe. This is a protocol flaw and Zimbra might include patches or configuration changes in future releases. Please check existing Bug https://bugzilla.zimbra.com/show_bug.cgi?id=95976 for more information.

As a workaround, this guide will help you on how to disable SSLv3 with Zimbra. This has been tested on both ZCS 8.0.8 and 8.5.0 releases.

Note: disabling SSLv3 might prevent older browsers to connect to Zimbra using SSL as they don't support TLS 1.0.

Postfix (MTA)

ZCS 8.5.x

zmprov mcf zimbraMtaSmtpdTlsProtocols '!SSLv2,!SSLv3'

ZCS 8.0.x

At the MTA server, run:

postconf -e smtpd_tls_protocols='!SSLv2,!SSLv3'

Run "zmmtactl stop ; zmmtactl start" to force the changes or wait for mailboxd to rewrite Postfix config from LDAP after 2 minutes.

Note that smtpd_tls_protocols will need to be set after every upgrade as there is no way to preserve them in ZCS 8.0 and previous.

Nginx (Proxy)

ZCS 8.5.x

For https and Admin UI, please edit /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template and /opt/zimbra/conf/nginx/templates/nginx.conf.web.admin.default.template. Include the following line under the server { } configuration: